Following the release of much-anticipated cybersecurity reporting guidelines for public companies, questions may persist about specifics of the new rules. Attorney David M. Lynn of Morrison & Foerster dives into all the details.
In July, the SEC adopted long-awaited amendments to its rules to require disclosure about cybersecurity risk management, strategy, governance and incident reporting by public companies. The SEC’s rulemaking action capped off over a decade of SEC guidance and enforcement interest relating to the disclosure of cybersecurity risks and incidents.
These new disclosure rules will require companies to evaluate and adapt their disclosure controls and procedures, management processes and governance structures around cybersecurity to prepare for the new environment of transparency in this critical area.
Background of the SEC’s cybersecurity disclosure requirements
In March 2022, the SEC proposed amendments to its rules to require real-time disclosures of material cybersecurity incidents, as well as disclosures regarding cybersecurity risk management, strategy and governance. The SEC received over 150 comment letters in response to the proposal. The SEC’s rulemaking action followed a dozen years of guidance on cybersecurity disclosures from the SEC, as well as a focus on cybersecurity disclosures by the SEC’s Division of Enforcement. In 2011, the SEC’s Division of Corporation Finance issued disclosure guidance to assist public companies in assessing what disclosures should be provided about cybersecurity matters, and, in 2018, the SEC issued interpretive guidance noting that public companies should inform investors about material cybersecurity risks and incidents in a timely fashion.
In recent years, the SEC has also brought several enforcement actions against public companies that experienced material cybersecurity incidents, focusing on the adequacy of disclosures about such incidents and whether those companies had appropriate disclosure controls and procedures to ensure the timely disclosure of material cybersecurity incidents.
Current reporting of cybersecurity incidents on Form 8-K
The SEC adopted new Item 1.05 of Form 8-K, titled “Material Cybersecurity Incidents.” Item 1.05(a) of Form 8-K specifies that, if a company experiences a cybersecurity incident that is determined by the company to be material, the company must describe the material aspects of the nature, scope and timing of the incident and the material impact or reasonably likely material impact on the issuer, including its financial condition and results of operations. An Item 1.05 Form 8-K must be filed within four business days of determining that an incident is material, subject to the limited exceptions described below. (The required information must be tagged using Inline XBRL.)
The first exception applies to companies that are subject to the FCC’s notification rule for breaches of customer proprietary network information. These companies may delay providing the disclosures required by Item 1.05 for such period that is applicable under the FCC notification rule and in no event for more than seven business days after notification required under that provision has been made, so long as the company notifies the SEC in correspondence submitted via the EDGAR system no later than the date when the Item 1.05 Form 8-K was otherwise required to be filed.
The second exception contemplates a process where a company can delay the filing of an Item 1.05 Form 8-K if the U.S. attorney general determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. This allows a potential delay of the Form 8-K filing for up to 90 days, and if the attorney general indicates further delay is necessary, the SEC will consider additional requests for delay and may grant relief through exemptive orders. The SEC did not provide for any broader law enforcement exception or provide exceptions with respect to any other federal laws or regulations in the final amendments.
The SEC adopted amendments so that the untimely filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility. Item 1.05 is also included in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Securities Exchange Act of 1934, as amended.
If the information called for in Item 1.05(a) of Form 8-K is not determined or is unavailable at the time of the required filing, the company must include a statement to that effect in the filing and then must file an amendment to the Form 8-K containing such information within four business days after the company, without unreasonable delay, determines such information or within four business days after such information becomes available.
Increasingly, companies are hiring chief data officers and chief data analytics officers to oversee their data environment. But while the need for these professionals is catching on, studies show they tend not to stay long.Read more
Periodic disclosures of cybersecurity risk management, strategy and governance
Under a new “Item 1C. Cybersecurity” in Part I of Form 10-K, companies will be required to disclose information regarding the company’s cybersecurity risk management, strategy and governance pursuant to new Item 106 of Regulation S-K. (The required information must be tagged using Inline XBRL.)
Item 106(b) of Regulation S-K says a company must describe its processes, if any, for assessing, identifying and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing these disclosures, a company should address, as applicable, the following non‑exclusive list of disclosure items:
- Whether and how any such processes have been integrated into the company’s overall risk management system or processes.
- Whether the company engages assessors, consultants, auditors or other third parties in connection with any such processes.
- Whether the company has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
A company must also describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations or financial condition, and, if so, how.
Item 106(c) of Regulation S-K requires a company to describe the board of directors’ oversight of risks from cybersecurity threats. If applicable, a company must identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or board committee is informed about such risks.
A company must also describe management’s role in assessing and managing the issuer’s material risks from cybersecurity threats. In providing such disclosure, a company should address, as applicable, the following non-exclusive list of disclosure items:
- Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in as much detail as necessary to fully describe the nature of the expertise.
- The processes by which such people or committees are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents.
- Whether such individuals or committees report information about such risks to the board of directors, a committee or a subcommittee of the board of directors.
Relevant expertise of management may include, for example, prior work experience in cybersecurity, any relevant degrees or certifications and any knowledge, skills, or other background in cybersecurity.
The SEC adopted Item 106(a) of Regulation S-K to define the terms “cybersecurity incident,” “cybersecurity threat” and “information systems,” as they are used in Item 106 of Regulation
S-K and Item 1.05 of Form 8-K, as follows:
- “Cybersecurity incident” means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a company’s information systems that jeopardizes the confidentiality, integrity, or availability of a company’s information systems or any information residing therein.
- “Cybersecurity threat” means any potential unauthorized occurrence on or conducted through a company’s information systems that may result in adverse effects on the confidentiality, integrity or availability of a company’s information systems or any information residing therein.
- “Information systems” means electronic information resources, owned or used by the company, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of the company’s information to maintain or support the company’s operations.
Requirements for foreign private issuers
Foreign private issuers are not required to file current reports on Form 8-K, and instead must furnish on Form 6-K copies of all information that the foreign private issuer: (i) makes, or is required to make, public under the laws of its jurisdiction of incorporation; (ii) files, or is required to file, under the rules of any stock exchange; or (iii) otherwise distributes to its security holders. The SEC also amended General Instruction B of Form 6-K to reference material cybersecurity incidents among the items that may trigger a current report on Form 6-K. The SEC amended Form 20-F to add Item 16K, which requires a foreign private issuer to include in its annual report on Form 20-F the same type of disclosures that the SEC requires pursuant to Item 106 of Regulation S-K.
The final rules were effective Sept. 5. With respect to Item 106 of Regulation S-K and Item 16K of Form 20-F, all companies must provide the required disclosures beginning with annual reports for fiscal years ending on or after Dec. 15, 2023.
With respect to compliance with the incident disclosure requirements in Item 1.05 of Form 8-K and in Form 6-K, all companies other than smaller reporting companies must begin complying Dec. 18, 2023. Smaller reporting companies must begin complying with new Item 1.05 of Form 8-K by June 15, 2024.
With respect to compliance with the structured data requirements, all companies must tag disclosures required under the final rules in Inline XBRL beginning one year after the initial compliance date. As a result: (i) for Item 106 of Regulation S-K and Item 16K of Form 20-F, all companies must begin tagging responsive disclosures in Inline XBRL beginning with annual reports for fiscal years ending on or after Dec. 15, 2024; and (ii) for Item 1.05 of Form 8-K and Form 6-K, all companies must begin tagging responsive disclosures in Inline XBRL beginning Dec. 18, 2024.
Preparing for the requirements
The SEC’s final rules requiring disclosures regarding cybersecurity risk management, strategy, governance and incident reporting should prompt public companies to:
- Ensure that incident response policies and procedures provide a clear path to escalate incidents to corporate leadership and/or a disclosure committee and that disclosure controls and procedures are in place to discern the impact that an incident may have on the company.
- Establish the framework for undertaking a materiality assessment without unreasonable delay after discovery of the incident so that decisions about whether an incident must be disclosed under the SEC rules can be completed on a timely basis.
- Modify or establish disclosure controls and procedures to facilitate the reporting of material cybersecurity incidents, including the nature, scope and timing of the incident and the impact or reasonably likely impact of the incident on the company, including on the company’s financial condition and results of operations, within the four-business‑day deadline contemplated by new Item 1.05 of Form 8-K, as well as any information that was not determined or was unavailable at the time of the initial Form 8‑K filing.
- Prepare new disclosures for the company’s annual report regarding the company’s processes for the assessment, identification and management of material risks from cybersecurity threats; whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations or financial condition; the board’s oversight of risks from cybersecurity threats; and management’s role in assessing and managing material risks from cybersecurity threats.